FortiWLC - Virtual Controller Deployment Guide Version 8.5.2 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com

FORTINET VIDEO GUIDE https://video.fortinet.com

FORTINET BLOG https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE https://training.fortinet.com

FORTIGUARD CENTER https://fortiguard.com/

END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK Email: [email protected]

May 18, 2020 FortiWLC 8.5.2 Virtual Controller Deployment Guide TABLE OF CONTENTS

Change log 4 About FortiWLC Virtual Controllers 5 Advantages of FortiWLC Virtual Controllers 5 Supported Hardware Configuration 6 FortiWLC Virtual Controller Deployment Modes 6 FWC-VM Series Virtual Controllers 7 Virtual Controller Requirements 7 Common Terminology 7 Deploying FortiWLC Virtual Controllers with VMWare ESXi 9 Pre-requisites 9 Downloading the Virtual Controller PackageFile 9 Configuring the Virtual Controller 10 Installing the Virtual Controller 13 Starting the Virtual Controller 16 Recommended VMware ESXi Host Settings 17 Deploying FortiWLC Virtual Controllers with KVM 19 Pre-requisites 19 Downloading the Virtual Controller Package File 19 Installing Linux KVM 19 Configuring the Virtual Controller 21 Recommended Linux KVM Host Settings 24 Deploying FortiWLC Virtual Controllers on Hyper-V 27 Pre-requisites 27 Downloading the Virtual Controller Package File 27 Configuring the Virtual Controller 27 Recommended Hyper-V Settings 33 VMWare Tools 34 License Management for FortiWLC Virtual Controllers 37 FWC-VM Series Virtual Controllers 37 Importing and Installing a License 38 License Validation 39 License Monitoring 39 Managing FortiWLCVirtual Controllers 40 Upgrading FortiWLC Virtual Controllers 40 FortiWLC Virtual Controller High Availability 41 Troubleshooting Tips 43

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Change log 4

Change log

Date Change description

2020-05-18 FortiWLC version 8.5.2 document release.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. About FortiWLC Virtual Controllers 5

About FortiWLC Virtual Controllers

The Virtual Controllers are a software version of the FortiWLC Appliance Controllers that are installed on an existing hardware platform provided that the platform implements a supported virtual hosting software solution. The Virtual Controllers are built on the same System Director that powers the FortiWLC WLAN Controller for the enterprise delivering superior reliability, scalability and predictability for WLAN deployments. They run on the widely deployed VMware vSphere, RHEL Kernel-based (KVM), and Windows based Hyper-V platforms installed on industry-standard hardware. When a virtual controller is purchased, the controller image can be downloaded from the Customer Support Portal and, once properly installed, can be configured just as a standard physical machine. This section includes the following topics:

l Advantages of FortiWLC Virtual Controllers on page 5

l Supported Hardware Configuration on page 6

l FortiWLC Virtual Controller Deployment Modes on page 6

l FWC-VM Series Virtual Controllers on page 7

l Virtual Controller Requirements on page 7

l Common Terminology on page 7

Advantages of FortiWLC Virtual Controllers

These are some of the advantages of the FortiWLC Virtual Controllers.

l Flexibility in hardware selection based on your requirements.

l Reduced cost, space requirements, and other overheads since multiple appliances can be replaced with single hardware running multiple instances of the controllers, FWLM Management; which is a web based application suite which manages controllers and access points mapped to the network to provide real-time data that enables centralized and remote monitoring of the network, and FortinetConnect; which is a complete provisioning, management, and reporting system that provides temporary network access for guests, visitors, contractors, consultants, or customers..

l Independent and mutually exclusive instances allow administrators to use multiple virtual controllers to manage different locations or scale the deployment using the same hardware.

l Enable features provided by the virtualization software, including High Availability, failover protection, and ease of migration. VMWare vMotion Storage and Snapshots are supported. Hyper-V specific features (Snapshot, Failover (HA), Replication, Hot swapping) are not supported.

l Centralized control and visibility at every level of the virtual infrastructure.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. About FortiWLC Virtual Controllers 6

Supported Hardware Configuration

This section lists the controller models available for the new FWC-VM Series Virtual Controllers and their corresponding requirements.

Models FWC-VM-50 FWC-VM200 FWC-VM500 FWC-VM-1000 FWC-VM- 3000

Scale AP 50 200 500 1000 3000

Clients 1250 2500 6250 10000 30000

vCPU 4 4 8 24 48

Memory 4GB 8GB 12GB 32GB 64GB

vNIC 1-4 1-4 1-4 1-4 1-8

Disk Space 16GB (Fixed) 16GB (Fixed) 16GB (Fixed) 16GB (Fixed) 16GB (Fixed)

FortiWLC Virtual Controller Deployment Modes

The FWC-VM series Virtual Controllers can be deployed in different modes. The following list summarizes the recommended 3rd party software requirements for installing and configuring FortiWLC Virtual Controllers.

Platforms Supported

VMWare, vSphere ESXi 6.0, 6.5, and 6.7

vSphere client

Linux KVM Ubuntu 16.04.2 LTS

Hyper-V Windows 2016

Web based configuration interface has been tested with the following browsers:

l Internet Explorer versions 10 and 11 on Windows

l Firefox on Windows

l Safari on MAC OS

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. About FortiWLC Virtual Controllers 7

FWC-VM Series Virtual Controllers

The FWC-VM Series Virtual Controllers are tested on Dell PowerEdge R730 CPUs– Intel(R) Xeon(R) CPU E5- 2697 v4 @ 2.30GHz. Any equivalent h/w that has support for Virtualization should work.

Virtual Controller Requirements

The following points are general advisories regarding Virtual Controllers.

l The number of Virtual Ports configured for the controller will vary depending on the controller’s model; be sure to configure the appropriate number of ports for the model being installed.

l If you are operating more than one Virtual Controller on a single host machine, ensure that the Virtual Interface for each Virtual Controller is configured in its own port group on the Virtual Switch. This will prevent network loops.

l Virtual Controller Ports can be configured for active-active mode or active/redundant mode.

Common Terminology

The following are some of the Networking VMware elements that will be used to configure the Virtual Controller to operate in VMware environment:

vSwitch This is a virtual switch, similar to a physical switch, performs functions including the Layer 2 forwarding engine, VLAN tagging, stripping, and filtering, security, checksum, and segmentation. The vSwitch links VMs to each other locally as well as to physical networks. A controller VE should connect to a vSwitch through virtual machine port groups.

Port Groups Port groups are not VLANs. They are configuration templates for the vNIC ports on the vSwitch. Administrators can set specific QoS, security policies, and VLANs by port group. This is where you should enable promiscuous mode (and not on the vSwitch).

Promiscuous Mode (VMWare ESXi only) Virtual Controllers are typically deployed as an in-line device on the data path and all the packets pass through the controller. Because of this, it needs to operate in Promiscuous mode. vSphere’s vSwitch and port group properties have the option to enable promiscuous mode. Again, it is highly recommended to enable this on the port group.

VM-NIC Queues Usage

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. About FortiWLC Virtual Controllers 8

The field VM NIC Queues in thesh controller commandindicates the value assigned to a Controller for better performance, based on different platforms/. This field mainly applies for the Virtual Controller Instance’s deployed using VMWare and Linux KVM and not for Hyper-V. For Virtual Controller models deployed using Hyper-V Platform, this field is not applicable and shows N for all Controller models. For the Virtual Controller models deployed using different platforms, these are the VM NIC Queues values.

Platforms FWC-VM- FWC-VM-200 FWC-VM-500 FWC-VM-1000 FWC-VM-3000 50

VMWare 4 4 8 8 8

Linux KVM 2 2 4 8 16

Hyper-V N N N N N

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with VMWare ESXi 9

Deploying FortiWLC Virtual Controllers with VMWare ESXi

This section describes the virtual controller deployment procedure on VMWare ESXi. This section includes the following topics:

l Pre-requisites on page 9

l Downloading the Virtual Controller PackageFile on page 9

l Configuring the Virtual Controller on page 10

l Installing the Virtual Controller on page 13

l Starting the Virtual Controller on page 16

l Recommended VMware ESXi Host Settings on page 17

Pre-requisites

For deployment and management of the Virtual Controller, you will need to download any of these VMware suites to the workstation:

l Single ESXi server management − Use VMware vSphere Client.

l Multiple ESXi servers requires vCenter − Advance features are also tied with vCenter which needs separate licenses (vMotion, and so on). Virtual Controllers can be deployed in these 2 modes in a VMWare setup. Note: Fortinet recommends that you deploy the Virtual Controllers in the dedicated mode. This mode of deployment achieves the maximum throughput for each Controller model, especially when using the APs in Tunnel mode where all the traffic will be tunneled by the APs to the controller and then to the Network. The deployed Virtual controllers have a dedicated NIC, vSwitch and vPort Group. Start the VMware vSphere Client, and log in to the ESXi server. Go to Configuration and click Networking. As you can see, there are existing 2 VM running on the host, using the same vSwitch0 and same Virtual Machine port Group. The vSwitch is also used by the vKernel Port that is responsible for the ESXi management.

Downloading the Virtual Controller PackageFile

You can download the virtual controller packages from the Fortinet Customer Support website. To access the support website you need a Fortinet Customer Support account. The file name is, forti-x.x-xbuild-0-x86_64.ova, where x.x-x is the release version number. For example, 8.5.2.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with VMWare ESXi 10

Configuring the Virtual Controller

In this deployment, we will be using an added NIC card with 2 Gig Ethernet ports as shown in the Network Adapters wizard. The 2 gig interfaces are connected to a Switch that support Link Aggregation (LAG). It is assumed in this procedure that the LAG is created on the switch and has the appropriate VLAN configuration. 1. Create a new Virtual Switch: Go to Networking and click AddNetworking…

2. Select Virtual Machineand click Next.

Create a vSwitch and assign the dedicated physical NIC. Click Next and provide a label for the vSwitch, for example, FWC-VM-50.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with VMWare ESXi 11

3. For VLAN ID, select All (4095), if you are using Trunk port on the switch. Click Next and then Finish to complete the vSwitch creation.

4. The vSwitch and a virtual machine port group are created. For example, VM Network 4 port group is created as depicted in this image.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with VMWare ESXi 12

5. Click on the vSwitch Properties and select the created port group; click Edit. In this example, the port group is VM Network 4.

6. Under the Security tab, select the PromiscuousMode and select Accept from the drop menu and click OK to apply the changes.

Note: The vSwitch main configuration is set to reject the Promiscuous mode, but the virtual machine port group overwrites the vSwitch configuration and operates in a Promiscuous Mode for the VM Network 4 port group.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with VMWare ESXi 13

Each vNIC has to be a part of a different Vswitch connected to different physical ports. Now that the structure is ready, start installing the OVA template into the VMware host.

Installing the Virtual Controller

1. Go to File and click Deploy OVF Template…in order to start the installation.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with VMWare ESXi 14

2. Browse to the location of the OVA template that you downloaded from Fortinet Support page and click Next.

3. Click Next and enter a Name for the Virtual Controller, for example, FWC-VM-50 is created as depicted in this image.

4. Configure the Resource Pool and Storage.

Use the default Disk Format - Thick Provisioning Lazy Zereod.

Configure Network Mapping.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with VMWare ESXi 15

5. ClickFinish in theReady to Completewizard.

The upload and installation of the Virtual Controller will start, the time varies according to the network bandwidth between the vSphere Client and the ESXi Host. You should get aCompleted Successfully message at the end.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with VMWare ESXi 16

Starting the Virtual Controller

Select the Controller and go to the Console Tab and Start the VM by clicking on the Power On button or (Ctrl+b). The Virtual Controller will start and you will see the entire startup message that you will typically found in a Hardware Controller. The first boot might take few minutes longer to boot up if no DHCP server is available as the controller will try to get an IP address from the DHCP server. Please refer to the Controller SD documentation to complete the controller installation.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with VMWare ESXi 17

Recommended VMware ESXi Host Settings

Fortinet recommends the following VM configurations and global host settings for enhanced Controller performance.

VM Configuration Settings

l CPU affinity - In servers where the available physical cores (i.e. half of HT CPUs) are more than the required cores for Controllers, set the CPU affinity such that no two vCPUs are scheduled on the same physical core by the VMKernel. To set the CPU range, go to Edit Settings ->Virtual Hardware -> CPU -> Affinity.

l Latency Sensitivity - Set the Latency sensitivity to High, to do so, go to Edit Settings -> VM Options - > Advanced -> Latency Sensitivity.

l Virtual NIC settings - Disable virtual coalescing, to do so, go to Edit Settings -> Options tab -> Advanced -> Configuration Parameters and add an entry for ethernetX.coalescingScheme with the value disabled.

Global Host Settings

l Physical NIC settings – Disable the interrupt moderation/coalescing. Run the esxcli system module parameters set -m ixgbe -p "InterruptThrottleRate=0" CLI command. This is applicable to Intel 10G with ixgbe driver, that is, chipsets Intel 82599 and is not applicable or i40en based drivers. Run the esxcli network nic list CLI command to find the list of drivers.

l Set the /Net/MaxNetifTxQueueLen global parameter to 10000 (default is 2000). Run the esxcli system settings advanced set -o /Net/MaxNetifTxQueueLen -i=10000 CLI command.

l Set the /Net/NetVMTxType global parameter to 3 (applicable only for ESXi 6.5). Run the esxcli system settings advanced set -o /Net/NetVMTxType -i=3 CLI command. This allocates multiple Tx world, that is, 1 per queue.

These are the parameters for different Controller models.

Parameters FWC- FWC- FWC-VM- FWC- FWC-VM- FWC-VM- VM-50 VM-200 500 (10G) VM-1000 3000 500-(1G)

CPU affinity Yes Yes Yes Yes No Yes (Applicable only if the number of physical cores on the host are more than 48.)

Latency Sensitivity High High High High High High

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with VMWare ESXi 18

Parameters FWC- FWC- FWC-VM- FWC- FWC-VM- FWC-VM- VM-50 VM-200 500 (10G) VM-1000 3000 500-(1G)

Virtual NIC settings (Disable Yes Yes Yes Yes No Yes interrupt coalescing)

/Net/MaxNetifTxQueueLen 1000 1000 10000 10000 10000 1000

/Net/NetVMTxType (for ESXi 1 1 3 3 3 1 6.5 and above)

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with Linux KVM 19

Deploying FortiWLC Virtual Controllers with Linux KVM

This section describes the virtual controller deplyoment procedure on Linux KVM. This section includes the following topics:

l Pre-requisites on page 19

l Downloading the Virtual Controller Package File on page 19

l Installing Linux KVM on page 19

l Configuring the Virtual Controller on page 21

l Recommended Linux KVM Host Settings on page 24

Pre-requisites

For deployment and management of the Virtual Controller on Linux KVM, install the following 3rd party software.

l Install Ubuntu v16.04 LTS server.

l Install KVM on the Ubuntu LTS server.

l Create an open Vswitch with KVM.

l Install Virtual Machine Manage (virt-manager) to create and manage guest virtual machines. Note: To accomplish the pre-requisites refer to the respective 3rd party documentation.

Downloading the Virtual Controller Package File

You can download the virtual controller packages from the Fortinet Customer Support website. To access the support website you need a Fortinet Customer Support account. The file name is, forti-x.x-xbuild-0-x86_64.img.KVM.zip, where x.x-x is the release version number. For example, 8.5.2.

Installing Linux KVM

Install Ubuntu 16.04.2 64-bit Desktop version. 1. Run the apt-get install openssh-server command to install openssh utility. Now, you should be able to ssh to the machine.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with Linux KVM 20

2. Run the egrep - '(vmx|svm)' /proc/cpuinfo command to check whether the system supports Virtualization or not. If the output is 0, then the system does not support Virtualization. If the output is greater than 0 it means your system is set and ready to go for KVM installation. 3. Run the apt-get install openvswitch openvswitch-common openvswitch-switch and /etc/init.d/openvswitch-switch start commands to install openvswitch which is used for tagging and untagging the vlans created. 4. Run the following commands to create a virtual-bridge.

l ovs-vsctl add-br

l ovs-vsctl port

l ovs-vsctl set port vnet0 trunks=0,168,169 In this command 168 and 169 are tagged vlans and 0 is a mandatory argument which specifies the native-vlan.

l dhclient < 5. Run the ovs-vsctl show command to see the virtual switch created. This is a sample command output: root@automation-HP-406-G1-MT:~# ovs-vsctl show 52690264-a2da-4a63-86e9-c8ceabf9be72 Bridge "N164-T168-T169" (N164-T168-T169:Bridge-name) Port "N164-T168-T169" (N164-T168-T169:port--name) Interface "N164-T168-T169" type: internal Port "enp3s0" (enp3s0:physical Ethernet port name) Interface "enp3s0" Port "vnet0" trunks: [0, 168, 169] Interface "vnet0" ovs_version: "2.5.0" 6. Run the sudo apt-get install -kvm libvirt-bin ubuntu-vm-builder bridge-utils command to install KVM. 7. Run the sudo adduser `id -username` libvirtd command to ensure that your Ubuntu username is added to the group libvirtd. 8. Run the sudo apt-get install virt-manager command to install graphical for KVM. 9. After the virt-manager is installed, type virt-manager to start the virtual manager application. 10. You can create a virtual Instance using GUI. In one of the window, you have to select bridge interface vnet0. 11. Create a virtual network:

l Create a directory for storing the virtual network xml file, for example, mkdir vmswitch-xml.

l Let the name of the xml file stored in the directory be N164-T168-T169.xml.

l Contents of the xml file are as follows: N164 #Created Bridge name #Created Port name #tagged vlan #tagged vlan

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with Linux KVM 21

12. Run the following commands to activate the created virtual network.

l virsh net-define N164-T168-T169.xml

l virsh net-start N164 13. Copy the image in the specified path and run the VM through virt-manager(GUI).

l cd /var/lib/libvirt/images/

l wget -c http://10.34.224.254/release/8.5-0build/11/x86_64/x86_64/FWCVIR/forti-8.5-0build-11- x86_64.img.KVM.zip(this is a sample file).

l Unzip forti-8.5-0build-11-x86_64.img.KVM.zip

Configuring the Virtual Controller

Perform these steps to configure a virtual controller. a. Open the virt-manager and select Import Existing Disk Image. b. Browse to the location of the downloaded package file and specify the OS type as Linux and Version as Ubuntu 16.04. c. Click Forward.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with Linux KVM 22

d. Specify the memory and CPU setting as per the deployed virtual controller model.

e. Click Forward. f. Specify the hostname, select the network adapter from the Network Selection drop down, and specify the Portgroup.

g. Click Finish.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with Linux KVM 23

h. In the CPUs settings, configure the Model as Nehalem. ClickApply.

i. In the VirtIO Disk1, under Advanced options, select the Disk bus as IDE. ClickApply.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with Linux KVM 24

j. In the NIC settings, specify the Network source, Portgroup, and Device model as virtio. ClickApply.

k. The Virtual Controller deployment is complete.

Recommended Linux KVM Host Settings

Fortinet recommends the following host settings for enhanced Controller performance.

l Disable the offload settings like GSO, GRO, TSO, and UFO for all ports. Run the ethtool -K gso off lro off tso off ufo off command.

l Set the ring descriptor size (ethtool -G 4096) to the maximum limit (4096) for all ports.

l Set net.core.netdev_budget to 600 and net.core.netdev_max_backlog to 60000. The commands in the above steps could be set in /etc/rc.local so that configuration is retained on a reboot of the host. Based on the VM model, modify the guest xml file and add below line in each interface in xml file.as follows:

l FWC-VM-50:

l FWC-VM-200:

l FWC-VM-500:

l FWC-VM-1000:

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with Linux KVM 25

l FWC-VM-3000: This is an example of FWC-VM-200 configuration.

l In servers where the available physical cores, that is, half of HT CPUs, are more than the number of vhost kernel threads, set the IRQ affinity for vhost kernel threads. For example, in 1000D each port has 8 queues, hence, there are 32 total vhost threads. Use this script to set the affinity for vhost kernel threads for 1000D VM on Dell PowerEdge R730 (for other hosts, the configuration would be different). #!/bin/bash cpids=`ps -ef | grep [v]host- | awk '{ print $2 }' | xargs` echo $cpids for cpid in $cpids; do taskset -pc 36-71 $cpid echo $cpid] done This script sets the CPU affinity for vhost kernel threads from CPUs 36-71.

Paramete FWC-VM-50 FWC-VM-200 FWC-VM-500 FWC-VM-1000 FWC-VM- rs 3000

CPU Yes Yes Yes Yes No affinity (Applicable only if the number of physical cores on the host are more than 48.)

Offload Yes Yes Yes Yes Yes settings

Ring 4096 4096 4096 4096 4096 Descriptor size

Net.core Yes Yes Yes Yes Yes parameter s

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers with Linux KVM 26

Paramete FWC-VM-50 FWC-VM-200 FWC-VM-500 FWC-VM-1000 FWC-VM- rs 3000

Guest on d’ d’ d’ d’ ioeventfd=’on’ ioeventfd=’on’ ioeventfd=’on’ ioeventfd=’on’ queues=’2’/> queues=’2’/> queues=’2’/> queues=’2’/>

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers on Hyper-V 27

Deploying FortiWLC Virtual Controllers on Hyper-V

This section describes the virtual controller deplyoment procedure on Hyper-V. This section includes the following topics:

l Pre-requisites on page 27

l Downloading the Virtual Controller Package File on page 27]

l Configuring the Virtual Controller on page 27

l Recommended Hyper-V Settings on page 33

Note: FWC-VM-1000 & FWC-VM-3000 are not supported on the Windows Hyper-V platform.

Pre-requisites

For deployment and management of the Virtual Controller on Hyper-V, install the following 3rd party software.

l Install Windows server 2016.

l Install the Hyper-V role.

l Create a Hyper-V Vswitch. Note: To accomplish the pre-requisites refer to the respective 3rd party documentation.

Downloading the Virtual Controller Package File

You can download the virtual controller packages from the Fortinet Customer Support website. To access the support website you need a Fortinet Customer Support account. The file name is, forti-x.x-xbuild-0-x86_64.vhd.hv.zip, where x.x-x is the release version number. For example, 8.5.2.

Configuring the Virtual Controller

1. Download the package file to C:\Users\Public\Documents\Hyper-V\Virtual hard disks and unzip it. The file should have a unique name and one file is used to create only one instance.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers on Hyper-V 28

2. Open the HYPER-V manager and select New > Virtual Machine.

The Virtual Machine wizard is displayed. 3. Configure the following settings in the Virtual Machinewizard:

l Name and Location

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers on Hyper-V 29

l Specify Generation – Select Generation 1.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers on Hyper-V 30

l Assign Memory (Supported Hardware Configuration)

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers on Hyper-V 31

l Configure Networking

l Connect Virtual Hard Disk – Select Use an existing virtual hard disk

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers on Hyper-V 32

4. Click Finish. The virtual machine is listed. 5. Select the newly created virtual machine and double-click. The settings are displayed. 6. Specify the Number of virtual processors in the Processor settings.

7. Select Enable MAC address spoofing in the Advanced Features settings to establish wireless connectivity.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Deploying FortiWLC Virtual Controllers on Hyper-V 33

The Virtual Controller deployment is complete. 8. Run the following command in secure on each instance to get the configured VLAN working. This is a sample command: 9. Set-VMNetworkAdapterVlan -Trunk -AllowedVlanIdList "96" -VMName "Forti22" - VMNetworkAdapterName "Network Adapter" -NativeVlanId 0

Recommended Hyper-V Settings

Fortinet recommends the following settings for enhanced Controller performance.

l Disable the default VMQ.

l Enable RSS on all the adapters.

l Tx and Rx buffers set to 4096.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. VMWare Tools 34

VMWare Tools

Some utilities of the VMWare tool are supported on FortiWLC to improve managing of the virtual machines.

Graceful power shutdown Right-click the virtual machine and click select Power > Shut Down Guest to shut down the guest operating system gracefully.

Clock/time synchronization between the guests and the hosts Right-click the virtual machine and click Edit Settings. Click the Options tab and select VMware Tools. Enable Synchronize guest time with host to configure the guest operating system to synchronize time with the host.

Quiescing guest file systems to allow hosts to capture file-system-consistent guest snapshots Right-click the virtual machine and click Snapshot > Take Snapshot. Update the required fields and enable Quiesce guest (Needs VMware Tools installed) to pause running processes on the guest operating system so that file system contents are in a known consistent state when you take the snapshot.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. VMWare Tools 35

Note: Quiescing a file system can be done only on virtual machines that are powered on. Network information and resource utilization of the guest is published to the host. Select a virtual machine and click on the Resource Allocation tab to view the resource utilization details.

In the Summary tab, click View All against the IP addresses to view the virtual machine’s IP addresses (IPv4 and IPv6).

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. VMWare Tools 36

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. License Management for FortiWLC Virtual Controllers 37

License Management for FortiWLC Virtual Controllers

This section assumes you have already received your entitlement for the FortiWLC Virtual Controller you ordered. Along with the entitlement that allows you to obtain the license for your instance, you would also have received instructions on where to download the right version of the software for the model you ordered. Register your product at the Fortinet Customer Support portaland use the registration key and system ID to obtain a license file. Note: Obtain the license only after completing the installation of the Virtual Controller. Contact the Forticare Support with the details entailed in the following sections to obtain the license. This section includes the following topics:

l FWC-VM Series Virtual Controllers on page 37

l Importing and Installing a License on page 38

l License Validation on page 39

l License Monitoring on page 39

FWC-VM Series Virtual Controllers

After completing installation of the Virtual Controller, login to the controller and run the setup command to generate the system-id. Perform the following steps to obtain the license. 1. Run the setup command on the Controller to generate the system-id, configure the hostname, and configure the static IP address of the Controller, to ensure that the IP address does not change as the system-id/license is mapped to the IP address of the Controller. 2. Save the configuration. The Controller restarts. 3. Run the show system-id command to obtain the system-id. 4. Share the Virtual Controller model details and system-id with the Forticare Support team. 5. Configure the Virtual Controller instance with the required resources (Supported Hardware Configuration on page 6) as per the model for which the license has been generated. 6. Install the license from the GUI (See section Importing and Installing a License on page 38) OR from the CLI (Configuration Terminal mode => vm-license scp://username@:) 7. Reboot the Controller to apply the changes as per the generated license.

Note: A freshly installed system boots up as FWC-VM-50 with default license valid for 30 days.

l System-id is not get generated until you run the setup command on a fresh instance.

l System-id is coupled with the IP address. Hence, any change in the IP address generates a new system-id thereby failing validation of the older license. In this case, a new license is required. Changing the IP address via CLI followed by a reboot to activate the new IP address does not generate a new system-id. Hence, license validation fails and the Controller is once again the FWC-VM-50 model. Therefore, use only the setup command to change the Controller IP address.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. License Management for FortiWLC Virtual Controllers 38

l After the license is invalidated due to a change in the system-id and the controller is once again a FWC- VM-50 model, ensure that you delete (License Monitoring on page 39) the invalid license for the Controller to function properly. Else, the Controller reboots after every one hour.

Importing and Installing a License

Perform these steps to obtain the license using the GUI. 1. Navigate to Maintenance > System > VM Licensing This image displays a freshly installed system which has a default license (trial based) valid for 30 days from the license issued date. 2. In the VM Licensing wizard, click Import to add a license. By default, this page lists the license available on the system which includes details on the Virtual Controller model.

Browse to the license file and click Save.

The license can be imported through the CLI as well.

Notes:

l The Controller reboots when you have uploaded the license file.

l The Controller does not support importing license files with spaces or brackets [()] in the filename.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. License Management for FortiWLC Virtual Controllers 39

License Validation

After the license is imported, validation is performed on the license parameters. If that validation succeeds and the appropriate hardware resources for the requested controller model are allocated, then the license is installed successfully. If either license validation or hardware resource validation fails, the system reverts to the default license. See section Supported Hardware Configuration on page 6 for further details. Once the license is installed successfully, it replaces the default license. There are two types of licenses – Trial Based and Perpetual (Never ending).

License Monitoring

The license validation happens after every one hour at regular intervals. With 30 days to go for expiry, alarms are raised on the controller. The Software License Expired alarm is generated as per the configured severity. The default severity is critical. In a fresh installation running on a default license (FWC-VM-50) which is valid for 30 days, you get 30 additional days within which to purchase and apply for a valid license. If a valid license is not imported, at the end of additional 30 days, the Controller will reboot and the APs will go to offline state. To delete a perpetual license, select the license and click Remove License or run the delete vm-license CLI command. After the license is deleted, the Controller reboots and comes up as FWC-VM-50 with the default trial based license. Note: Deletion of trial based license is not allowed.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Managing FortiWLCVirtual Controllers 40

Managing FortiWLCVirtual Controllers

Like any conventional Hardware Controller that Fortinet offers, the Virtual Controller can be managed by directly accessing the controller using the FortiWLC Web UI or FortiWLM. Refer to FortiWLC Configuration Guide and the FortiWLC Command Reference Guide or configuring and managing your Virtual Controller. The term Controller refers to Physical appliance as well as your Virtual Controller. This section includes the following topics:

l Upgrading FortiWLC Virtual Controllers on page 40

l FortiWLC Virtual Controller High Availability on page 41

Upgrading FortiWLC Virtual Controllers

Virtual Controllers can be upgraded the same way as the hardware controllers. Download the appropriate Virtual Controller image from Fortinet Customer Support website. Upgrading the controller can be done in the following ways:

l Using the FTP, TFTP, SCP, and SFTP protocols.

l Navigate to Maintenance < File Management in the FortiWLC GUI to import the downloaded package. The following are sample commands for upgrading the Virtual Controllers using any of these protocols.

l upgrade-image tftp://10.xx.xx.xx:forti-x.x-xbuild-x-x86_64-rpm.tar both reboot

l upgrade-image sftp://[email protected]:/home/forti-x.x-xGAbuild-88-FWC1KD-rpm.tar both reboot

l upgrade-image scp://[email protected]:/home /forti-x.x-xGAbuild-88-FWC1KD-rpm.tar both reboot

l upgrade-image ftp://[email protected]:forti-x.x-xbuild-x-x86_64-rpm.tar both reboot

The both option upgrades the binaries (rpm) as well as the Kernel (iso), the apps option upgrades only the binaries (rpm). After upgrade, the Virtual Controller should maintain the System-id of the system, unless there were some changes in the fields that are used to generate the system-id. See the to the Licensing section for detailed information. The international Virtual Controller can be installed, configured, licensed and upgraded the same way.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Managing FortiWLCVirtual Controllers 41

FortiWLC Virtual Controller High Availability

Virtual Controller are affordable and an easy way to achieve High Availability for your environment. These are some highlights of the Virtual Controllers High Availability deployment:

l N+1 slave for controller appliances.

l The FWC-VM Series Virtual Controllers - Supports HW appliances of same model, for example,1000D-VM can act as N+1 slave for 1000D-VM only.

l When a controller slave becomes active, the slave model operates with the same capacity as that of the master controller it has taken over.

This table describes the N+1 compatibility with the MC Series as the master.

Slave Master

MC1550 MC3200 MC4200 MC6000

MC1550 ✓ X x x

MC3200 x ✓ x x

MC4200 x X ✓ x

MC6000 x X x ✓

FWC-50D x X x x

FWC-VM-50 x X x x

FWC-200D x ✓ x x

FWC-VM-200 x X x x

FWC-500D x X ✓ x

FWC-VM-500 x X x x

FWC-1000D x X x x

FWC-VM-1000 x X x x

FWC-3000D x X x x

FWC-VM-3000 x x x x

This table describes the N+1 compatibility with the FWC Series as the master.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Managing FortiWLCVirtual Controllers 42

Master

Slave FWC- FWC- FWC- FWC- FWC- FWC- FWC- FWC- FWC- FWC- 50D VM- 200D VM- 500D VM- 1000D VM- 3000D VM- 50 200 500 1000 3000

MC1550 x x x x x x x X x X

MC3200 x x ✓ x x x x x x x

MC4200 x x x x ✓ x x x x x

MC6000 x x x x x x x x x x

FWC-50D ✓ x x X x x x x x x

FWC-VM- x ✓ x X x x x x x x 50

FWC- x x ✓ X x x x x x x 200D

FWC-VM- x x x ✓ x x x x x x 200

FWC- x x x X ✓ x x x x x 500D

FWC-VM- x x x X x ✓ x x x x 500

FWC- x x x X x x ✓ x x x 1000D

FWC-VM- x x x X x x x ✓ x x 1000

FWC- x x x X x x x x ✓ x 3000D

FWC-VM- x x x X x x x x x ✓ 3000

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Troubleshooting Tips 43

Troubleshooting Tips

APs not connecting to the controller & seeing duplicate responses for pings from the controller to an outside system. The same vSwitch is being used for both vNICs, define separate vSwitches for each vNIC. Alternatively, you could disable one of the vNICs in the virtual machine. You can disable the 2nd vNIC, by un-checking the Connected and Connect at Power On options.

Clients not able to connect to the network If you look at the station log and see “Client moved to wired side”. This is an indication that your vSwitches are not configured properly. Potentially vSwitch is not mapped to one physical vNIC or the physical resources is not bonded properly or multiple hosts are sharing the same vSwitch. How To Capture Events leading to a Crash on Virtual Controller 1. Unlike physical controllers, virtual controllers may not generate a kernel-gather file if they crash. 2. It should generate a file Fortinet-kernel-diag similar to Physical controller unless you encounter silent reboot which can happen to both VM and Physical controller. 3. The output for a virtual controller crash may well look like a fault on VMWare. 4. To confirm, connect a PC to the serial port of the physical host (virtual blade). 5. Map the serial port resource on the host to the VMware image. 6. Try to connect via PuTTY (same serial settings as those set for a physical host) to virtual controller. 7. You will be able to catch the reboot reason / crash log, the next time the event occurs. Does Fortinet Support Mesh on Virtual Controllers? Yes, Fortinet supports Mesh on Virtual controllers as well.

FortiWLC Virtual Controller Deployment Guide Fortinet Technologies Inc. Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.